Re: Sniffer information to track LSASS activity.

From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 04/10/05 

Date: Sun, 10 Apr 2005 11:01:53 -0400

"Bill-MT" <BillMT@discussions.microsoft.com> wrote in message
news:33992CE2-FB25-4A85-A43F-0B3C70533CF3@microsoft.com...

> I think it's caused by a mis-configured piece of software attempting to
> access LSASS inapproprately.
>
> I have a sniffer capturing packets sent to this machine, however, since
this
> DC also provides DNS and WINS functionality besides being a DC, it's hard
to
> find anything useful in the captures. The DC as you expect talks to a lot
of
> machines a lot of ways.
>
> So, what I was wondering is if anyone can tell me what to filter my
sniffer
> captures on to find out the start of transaction packet for any machine
> attempting to hit the LSASS service. If I can find that, I can make a
list
> of machines which appear to be starting transactions every 60 secs against
> that host.

A good sniffer will let you write a filter on what traffic you capture
and/or what traffic it displays after the capture. I can't tell you exactly
how to do this because 1) you haven't said what sniffer you're running and
2) this is a Microsoft support newsgroup, and you're probably not using a
Microsoft sniffer.

www.ethereal.com is a good and popular sniffer for Windows. Writing filters
for ethereal can be a little esoteric, but there is plenty of information in
Google. In your case, I would suggest writing capture filters before
starting the capture to filter out traffic you don't want to see.. DNS
lookups are mostly done on UDP port 53, and I'm guessing the WINS traffic
you are seeing is mostly on UDP 137? Do a capture with that traffic
filtered out, and if you're still getting large amounts of "uninteresting"
traffic, write additional filters and re-capture.

Capturing the network traffic may be useful, but it is possible that you
might not be able to determine the cause of the problem from network traces.

Relevant Pages

  • RE: That dont look good!
    ... > the capture stopped. ... there are entries in the firewall log ... >first and third times I had the sniffer going. ...
    (Focus-Linux)
  • Re: Can trojan bypass sniffer?
    ... a sniffer is designed to capture ALL traffic originating from within ... if the sniffer has been configured to only ... capture traffic of a certain protocol and the trojan in question is designed ... > frames for emails to make sure that I do not have ...
    (comp.security.firewalls)
  • Re: Intrushield vs. ISS once more...
    ... networks the problem is building a cost effective solution. ... remember going out and getting the latest packet sniffer some time ago. ... It was the latest 10 Gigabit Ethernet Sniffer that captured less then ... the capture - which was REALLY frustrating. ...
    (Focus-IDS)
  • Re: Can trojan bypass sniffer?
    ... I do not see PPP level packets ... which I can see with Ufasoft Sniffer 3.8XP ( ... be *able* to capture any kind of packet related to e-mail, http, ftp, etc. ...
    (comp.security.firewalls)
  • Re: Ping Ken Maltby re ATI Avivo
    ... If you haven't used GraphEdit to access the property pages, ... A File Writer or "Dump" filter. ... I have used GraphEdit to capture from my ... hardware MPEG capture card (that most programs can't seem to ...
    (rec.video.desktop)